Now that every Internet user has been told repeatedly that clicking links in email messages is a bad idea, the scammers and crooks have given up on sending those messages, because they don't work anymore. Right? Well, no. Scam messages linking to malicious websites are just as rife as ever, and it's your fault. Why do you click those links? Dr. Zinaida Benenson, from the University of Erlangen-Nuremberg decided to find out, and revealed her findings at the Black Hat conference in Las Vegas. The results weren't encouraging.

"When we started thinking about research in this area, we asked, what don't we know yet?," said Benenson. "Is there any difference if you send the suspicious message via email or Facebook? We wanted to ask people why they clicked a link or didn't, to know how they reason about security decisions."

At last year's Black Hat conference, researcher Laura Bell proposed that instead of scanning PCs for security, we scan the users. Benenson took a more cautious tone. She mentioned the problem of testing people without their consent. "Sometimes this is done in organizations," she said, "and it can go very wrong. But we can't say, hey, we're going to send you some phishing messages, so be sure to react the way you usually would."

Benenson got student volunteers for a study on "online activity," promising that some participants would win gift cards. She used email and Facebook to send 1,600 university students a message containing a link to "pictures from the party last week." Those who clicked the link didn't get to see any racy photos; they simply got an "access denied" message. Naturally Berenson's experiment recorded just who fell for the gambit.

It turns out that using your first name is a great way to convince the recipient the message is legit. Over half (56 percent) of email recipients and 38 percent of those getting a facebook message clicked the link when the message addressed them by name. Without the first name, only 20 percent who got the message by email and 42.5 percent of Facebook users took the bait.

Easy to Be Fooled The really interesting stats came in when Benenson quizzed the clickers about just what impulse caused them to take the dangerous step of clicking the link. The biggest reason, offered by 34 percent of respondents, was curiosity about the contents of the photos. Another 27 percent trusted the message because it matched their experience, in that they had attended a party recently. Although the message came from a made-up name, 16 percent thought it was someone they knew. Conversely, 51 percent of those who refrained from clicking did so because they didn't recognize the sender, and 36 percent because they'd been to no parties recently.

Based on these results, Benenson concluded that just about anybody could be induced to click a dangerous link using one of several techniques. Addressing the victim by name, crafting the message to induce curiosity, spoofing a known sender, matching message content to the victim's recent experience—these are the tried and true techniques.

Bond, James Bond What do businesses want from awareness training? "If we want them to protect themselves," said Berenson, "they must be suspicious even if they know the sender, even if the message fits your current expectations. They must be suspicious of everything! Psychologists call this deception mode. Any time they see a message, expect that it may be fake." She mentioned exactly one employee who could like operate in deception mode all the time; James Bond.

Related

"If we want employees to be in James Bond mode all the time," she continued, "that's possible. But you have to put it in the job description, and you have to pay them appropriately." She reported on her own attempt to keep deception mode in her own action all the time, with some amusing examples.

Benenson went on to point out that phishing awareness training in business can backfire. Sending employees spear-phishing emails purportedly from a colleague can cut down work efficiency by making employees distrust even valid mail. She concluded with a request for businesses that would be willing to participate in her further research.

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.